Archive for November, 2011
This is my new post about Clickjacking ! About a month back there was something like a virus on facebook. It was actually a post which spammed like crazy.
The post was as follows:
This video comes in many forms . One of the other types was that of a video link titled “OMG this is what happened to his daughter“ or some such “catchy” caption. All these spam posts are essentially links which look like videos.The play button is actually an image to imitate the youtube play button. If you view the source code, you can see that it’s just a tag and not a video.
When you click on the play button on the video, it takes you to another website. This website has either of the two following options : In older SPAM posts, a javascript code was displayed, and it persuaded the user to paste the code in the URL to view the video. In newer SPAM posts, There would be a button which read “Click here to verify you are above 18 “.Whenever, the user does any of the above , the code would indirectly “share” the post to all friends. The code essentially imitates the ‘share’ option in facebook.The user is tricked into doing this.
Analyzing this code I can conclude the following. Firstly, the video link shown in the post is actually an image with a hyperlink, not a video Secondly, on clicking the “verify age “ button or pasting the javascript, the user shares the post to all his friends. The technical term given to this type of attack is “ClickJacking”.
This is what Wikipedia has to say about clickjacking
. Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions later, as the user was genuinely authenticated on the other page.
This can be easily found out if one reads through the code of the “verify age” button in the facebook spam. These type of attacks can be put to more deadly uses in bank websites. When a user who has logged in to his bank account visits a website and clicks on a seemingly harmless link, he may actually be transferring money to some other account without his knowledge.
So what are the Ways to prevent clickjacking? As the user of a website, it’s very tough to stay away from clickjacking.You should always keep your eyes open for anything malicious. As a website developer, precautions must be taken to prevent this type of attack. The most common way to prevent this attack is to put a framebuster code in the main page like the following: if(top.location!=self.locaton) { parent.location = self.location; }
If you are interested in developing your own clickjacking page , you can use this tool called the clickjacking tool It’s really cool! It very easily lets you make a site which has a hidden iframe .
Although many attempts are being made to prevent clickjacking on websites, hackers have been developing newer ways to bypass javascript filters put in place. It finally comes down to the developer/security testing team of the website to be vigilant and constantly update themselves with new types of attacks, thus securing the website. Feel free to comment .
Hey!
Im back with the second part of the post. At the end of the last post, we successfully re-routed all the traffic from the victim’s computer to the router through our computer.Next, we have to capture their facebook cookies through wireshark. So How do you go about doing that? It’s very simple actually.
- Open up wireshark
- Goto capture – > Interfaces in the top menu and select your interface. It’s usually the one which has an IP address and a certain number of packets flowing through it.
- Next goto capture and click on start.. It should look something like this
This window has all the packets sent from the victim’s/victims’ computer to the router and all the packets sent from the router to the victim.
Next in the filter type “http.cookie contains datr”. You ask why? Because, when a user logs in to facebook, he is given some cookies which is unique to him. If we replace our cookies with the victim’s cookies, we can login to his account as then facebook wont know the difference.
You now have the cookies. To get the information stored in the cookies, right-click on any one of the cookie and click on Follow TCP stream.
In the TCP stream look for the line Cookie: ( and all cookie names). If it doesn’t come, select some other packet in wireshark and click on follow tcp stream for that. You can see the source IP and destination IP in wireshark. So if you have more than one source IP , then you know you have the cookies of more than one account on your LAN. This is what I got when I did it.
So now you have it
Now open firefox and goto http://www.facebook.com. Once there, click on cookies in the web developer add on which you had installed in the last post. Then do the following
- · Clear session cookies
- · Delete domain cookies
- · Delete path cookies.
IMPORTANT: Once you do this, again type http://www.facebook.com in the URL and click enter. Basically you are reloading facebook after deleting all cookies.
Now login to your account with your username and password. After logging in , click on cookies in web developer add-on and click on “view cookie information”.
And there you have all your cookies :p. Now what to do?! I guess you know it by now. !
Click on “edit cookie” for each cookie there and replace the cookie value with the value you got through wireshark.
If you did not get all the cookies in wireshark its OK! But mainly, you should look to replace the datr cookie, c_user cookie, lu cookie, sct cookie, w cookie and xs cookie.
After replacing all the cookie values with the ones you got in wireshark, just refresh the facebook page. And thats it! You are in to the victim’s account! You have HACKED a facebook account on LAN.:D
<o.w.n.e.d> + <p.w.n.e.d>
So until my next post Sayonara and happy hacking!
My blog has 10k hits right now. Glad to see so many people visiting the blog.
Ok so in this post I am going to show you a way you can hack the facebook accounts of all the people who are on your network (LAN or wifi ) . I have tried this and believe me it works..This is really the best way to hack facebook accounts. Its much easier than installing RATs, Keyloggers or making phishing sites. Ok so off we go!
You will need 3 programs for this
Cain and abel : http://www.oxid.it/cain.html
Wireshark : http://www.wireshark.org/download.html
Web developer add-on for firefox : https://addons.mozilla.org/en-US/firefox/addon/web-developer/
So what exactly happens when you type in http://www.facebook.com and login with your username and password. First download the web developer addon for firefox and then login to facebook. After you log in view the cookies in the web developer toolbar.
Ok now if you click on view cookie information, you will be able to see all the cookies which facebook has transmitted to your browser.
The main cookies are the c_user cookie (which identifies a person uniquely) and datr cookie..
So your aim must be to get the cookies of your victim through wireshark and then replace your cookies with the victim’s. So then, facebook will think you are the victim as you have his cookies and you will be logged in as the victim. Simple isn’t it?
So how do you do this..
First off install cain and abel.It will ask you whether you want to install the packet driver – WinPCap. Go ahead and install that also.Open up cain.
- Click on configure on top and select your Network card. Mostly its the one with an IP address :p
- Next click on the start/stop sniffer on top as shown below in green square.
- Once you start the sniffer, goto the sniffer tab in cain, right-click and click scan mac address as shown below!
Ok now you should have a list of everyone on the network. It may take some time though. You can right-click on any one computer and find out its name.
Now what we are going to do is the actual shit!We are going to do an ARP poison ! What this means is that you fool the router in thinking that you are the victim, and you fool the victim in thinking that you are the router.
So initially victim -> router -> facebook. Now after ARP poison, victim->hacker->router. This is called an MITM(Man in the middle) attack.You can google it for more info :p
Doing the ARP POISON
- First Click the APR tab below in cain.
- Click the white screen in the top frame
- Click the blue plus on top.
Now you should get a list of all the devices on the left and a blank screen on the right..
In the left screen you should select the router IP. And in the right box, select the computers you want to target. To be safe its better to target one computer. But if you want some real fun then select all the computers on the right frame
WARNING: If there is a person at the router, he can know if you have just done an ARP poison. But where is the fun without the risk.:P
You can try googling on other methods to do arp poison safely.
In the top frame all the computer list should have got filled. now select the whole list and click on the nuclear button (top left of cain).
Thats it you are done with the arp poison. Just be careful, if you select too many computers, your computer cant handle the traffic and the network may just crash. I am reminding you, this should be done for ethical reasons !
Now all the data is passing through your computer. All you have to do is sniff the data in wireshark, get the cookie and replace your cookie with victim’s cookie.
Thats what ill be covering in part 2 of this post . Hopefully in a day or two. Till then Cheers!
24 Smartass Acts Of Vandalism
I know, I know vandalism is WRONG. And in some cases illegal. But can’t we laugh at these funny examples of smartass vandalism while we also shake our heads in disapproval?
Watching Pakistan vs Sri Lanka Live Cricket
Watching Pakistan vs Sri Lanka Live Cricket
Junaid calling Junaid
